Check out our official Discord Server: https://discord.gg/malwaretech
Text strings, or just “strings” for short, are pieces of human-readable text contained within a piece of code.
Consider the following code:
printf("Hello World!");
This code calls the function printf with the text string Hello World. This will result in the application outputting “Hello World”.
While the printf function call will be translated into machine code, the string will remain intact and stored somewhere within the application.
Under normal circumstance, code is stored in the .text section and strings are stored in the .data or .rdata section.
This can be somewhat confusing as the application’s code is compiled to binary, therefore is not “text”.
By browsing sections like .data or .rdata it’s possible to see many of the text strings embedded within a normal application.
Often these strings can give us clues as to what the application is doing.
Most malware will attempt to conceal, encrypt, or obfuscate text strings to avoid making it too easy to write detection rules or reverse engineer the code. There are many different techniques by which this can be done. These challenges will introduce you to just some of the many ways malware can conceal text.
This challenge introduces a common technique used by malware to concealing text strings inside code. You’ll need to perform static analysis and figure out how the flag is concealed.
Recommended Environment
Host Machine: Anything with an x86_64 CPU (32-bit CPUs won’t work and ARM CPUs will require an emulator).
Virtual Machine: VMware or VirtualBox
Operating System: Windows 10 64-bit
Disassembler: Binary Ninja or Ghidra
Note: for Windows Labs the walkthrough videos will be done using Binary Ninja, with a 64-bit Windows 10 Virtual Machine running on VMWare Workstation Pro. You are free to choose your own software & hardware, just be aware that there will only be official support for the recommendations listed above, any custom setups are your own responsibility.
Stay Informed
Subscribe to my newsletter or get notified of new posts.

